Posted
by
timothyon Saturday January 16, 2010 @04:20PM
from the wish-it-was-easy-for-non-attackers dept.

An anonymous reader writes "Security researcher Adam Baldwin has identified that the Sprint and Verizon MiFi devices are vulnerable to a multitude of attacks. Combining these attacks together, an attacker can gain the GPS location of the MiFi device without the user becoming immediately aware. The attack can be successfully executed without authentication and even if the GPS has been disabled by the administrator." There's a video, but a handy text summary, too. Upshot: "Any MiFi user that visits a specially crafted page will give up their GPS location to the attacker."

Uh.. except for the fact that the phones hosting the apps needing to know location.. will be on phones that have GPS receivers and can thus determine location. The router doesn't need to know shit except that there is an 802.11 device locally and a cellular network regionally.

Apps aren't running on the MiFi router any more than a web browser runs on a home router.

That it works even with GPS mode turned OFF on the phone is DIRECT evidence of poor security design.

No, the fact that third parties *found* the back door is direct evidence of poor security design. The fact that the backdoor was there is at least as likely to be an intentional measure for law enforcement purposes as it is to be a mistake. Odds are, when they "fix" this bug, the backdoor will still be there, just hidden a little better.

Because you're on a cellular network and the company providing service wants to know where its users are using them so they can plan the network. Furthermore, if you are missing and need to be rescued, your MiFi giving out your location might be a good thing.

if the phone is only picking up the signal from one tower you can eliminate any side of the tower where another tower is close by, as you would expect to have more than one signal. so unless the tower is completely isolated you can have a pretty good idea where they are, at least what direction.

There are different configurations of sites; varying from three, two or even one sector. Some cell sites will have a remote sector mounted in a physically different location (cost savings). It all depends on where the coverage is needed.

Regarding the reason for GPS functionality: the RF engineers need to know where your MiFi is. It's all about statistics and measurements with those guys.

Regarding the reason for GPS functionality: the RF engineers need to know where your MiFi is. It's all about statistics and measurements with those guys.

Are you saying the router is designed to report its GPS location to the carrier without the user's knowledge (ostensibly for the purpose of improving the network)? That seems like a privacy violation in itself.

Yes. You are in effect using the carriers licensed spectrum. They have a right to know what devices are using it and where. Just because they know where a MiFi is, doesn't mean they have YOUR MiFi location. RF engineers don't deal with customer data (unless they need to meet with a customer), nor do they have access to it.

You are in effect using the carriers licensed spectrum. They have a right to know what devices are using it and where.

Well, there'd be rioting in the streets if it turned out that typical cell phones were constantly reporting GPS data to the carrier, especially if they still did it when the GPS feature was supposedly turned off. Why should a MiFi be any different?

RF engineers don't deal with customer data (unless they need to meet with a customer), nor do they have access to it.

The carrier still has that data, though, and they could be forced to turn it over when faced with a subpoena or warrant -- or, as we've seen repeatedly, they could just decide to turn it over in response to a polite request from the government.

Well, there'd be rioting in the streets if it turned out that typical cell phones were constantly reporting GPS data to the carrier, especially if they still did it when the GPS feature was supposedly turned off. Why should a MiFi be any different?

There is a big difference between a device that in effect acts as a cell site (broadcasting) versus a subscriber handset.

The carrier still has that data, though, and they could be forced to turn it over when faced with a subpoena or warrant -- or, as we've seen repeatedly, they could just decide to turn it over in response to a polite request from the government.

This has nothing to do with your argument. I am speaking from an engineering point of view. However, if/when instances of this occur, people need to sue the Fed (under violation of the Constitution) and the carrier (secondary).

If your main worry is what a large corporation will provide the Fed (warrentless or not), stop using their services (i.e. a mobile) immediately. at&t is on

And there's the problem... with only contact to one tower, you don't have an exact direction... just a distance and a 120 degree range. That creates an arc on the map, all of which has to be checked to find you. E911 would much rather have a GPS point.

Because if you're wanted or missing and have your MiFi with you, it's easier to find you.

Manhunts have gone down like crazy since the popularity of a cell phone means if you are wanted on a warrant for something as insignificant as skipping jury duty, they can ask your cell company where you are right now.

The MiFi device essentially is a phone. It connects to a cellular data network and then makes that connection available over wifi to nearby computers.

If they actually included a real GPS chipset, that would be puzzling, just from a cost/weight/battery life/board space perspective; but basically anything that interacts with a cell network gets location data within the limits of tower triangulation accuracy essentially for free(and then, if Verizon is the carrier, the firmware locks you out of that until y

The Sprint MiFi enables the GPS functionality and allows for Sprint's "Location Based Services" that will plot onto a Google map the restaurants/banks/shopping/gas/etc that are near by. Verizon disables the GPS capabilities of the MiFi!

And by "Verizon disables the GPS capabilities of the MiFi" you mean "Verizon doesn't use it", since the hardware is still there, and can still be activated to retrieve the location of any Verizon MiFi.

I think the main question is why would a glorified router have a GPS built-in? I can see no real reason for a GPS being in a router. Phones? Perhaps. Router? No.

Easy. E911.

The thing's got a 3G modem in it, which is the similar to what you'd find in similar phones (since it's CDMA, I'd expect a 3G CDMA phone). Except that instead of being able to make calls, it only handles data.

3G modems, ehether they're the ones embedded in your phone, or in those "internet sticks" are pretty much the same. Heck, they may

I would have thought a device like that would basically be a fiscal time bomb waiting to go off into the users face. With the download limits and extra charges on mobile broadband used in conjunction with the higher risk wireless connections, I smell a profiteering opportunity for incumbent phone companies to sell less than secure devices to a bunch of gullible unskilled users.

I expect it will not be long before we start hearing horror stories about huge mobile data bills. I consider myself fairly skille

A cell modem is extremely practical in a few limited circumstances. If you travel a bunch and can trade $60 a month for 6 $10 hotel internet fees, it makes sense as anything past those 6 nights is a benefit.

A few people actually need to access a customer database "live" while on the road. Great, this enables that. Even if it costs $150 a month because of overage charges, you are probably coming out ahead in the end.

For the rest of the people on the planet, a cell modem is an utter waste of money.

Since the MiFi is such a novel concept, people might not think it includes anything not related to data connections. By making this mistake and it landing on Slashdot and such, it's advertising the GPS... plus giving notice so nobody can sue them and claim they didn't know they were carrying a device that would reveal their location.

That's easy. Some people did a wardriving scan of the entire nation, noticing what MAC address was given even on WAP/WPA encrypted WiFi systems and where they were when it was detected. Yep... your home WiFi now can tell your laptop you're at home and the work WiFi indicates where the office is. People could do a mass router swap and disable this stuff, but nobody seems to have bothered.

Well, then the attack enables it. Duh. It's a cross-site request forgery, i.e. an attack where the web browser "reflects" a request so that it appears to originate on the inside, where the configuration interface is available. Combine this with the lack of an authentication requirement, the attacker can simply enable the GPS and get the coordinates.

Here's the relevant text from the unavailable web page:

1. Authentication not required.

The MiFi does not require a valid session to commit changes to configuration settings. This makes exploiting the below issues a lot easier when you don't have to require that the victim have a valid session.

2. Enable GPS without the users knowledge.

The GPS on a MiFi can be enabled by visiting the following URL. Depending on the situation the victim may get a alert that says "Login Required" but if they are like the typical user they will simply click on it and forget it ever happened.

3. Cross-Site Request Forgery (CSRF)

The web interface does not validate referrer or use any magical tokens to protect against CSRF. This means that we can have a victim visit our malicious website and do evil things like change the wireless settings of the MiFi.

4. Output Encoding

In multiple locations of the MiFi web interface user input is not properly encoded when output back to the user. One interesting location is the key field for the wifi settings. I'm wondering why the hell somebody thought it was a good idea to print the wifi key in clear text back to the user, and in this case it's not properly encoded either giving us a nice 63 character persistent injection point for script.